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(57) A safety PLC 1 and at least a safety slave unit 
2 are connected through a safety network 3: The safety 
slave unit has the safety information transmission func- 
tion for transmitting the safety information for determin- 
ing whether a safe state prevails or not and the unsafety 
information transmission function for transmitting the 
unsafety information containing no safety information. 
The unsafety information transmission function trans- 
mits the unsafety information on condition that the safety 
slave unit is in a safe state. Specifically, in the case 
where it is determined that no safe state prevails at the 
timing of transmitting the unsafety information, the un- 
safety information is not sent but the safety is transmit- 
ted. A safety controller, upon receipt of the unsafety in- 
formation, estimates that the safety slave unit at the 
transmitting end of the particular unsafety information is 
in a safe stale. 
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Description 
TECHNICAL FIELD 

[0001] The present invention relates to a safety net- 
work system, a safety slave unit, a safety controller and 
a communication method, and an information collecting 
method and a monitoring method for the safety network 
system. 

BACKGROUND ART 

[0002] A programmable controller (hereinafter re- 
ferred to as "PLC") used for factory automation (herein- 
after referred to as "FA") performs the control operation 
in such a manner that the on/off information is input from 
an input device such as a switch or a sensor, the logical 
operation Is executed according to a sequence program 
(also called a user program) written in the ladder lan- 
guage or the like, and In accordance with the operation 
result thus determined, on/off information signals are 
output to an output device such as a relay, a valve or an 
actuator. 

[0003] The PLC is connected to the input devices or 
the output devices either directly or through a network. 
In the case where a network system connected by a net- 
work is constructed, the on/off information is transmitted 
and received through the network. In the process, the 
information are transmitted by a master-slave method 
in which the PLC normally acts as a master unit, and the 
devices as slave units. 

[0004] In recent years, on the other hand, a fail-safe 
(safety) system has been introduced also in the PLC op- 
eration. Specifically, not only the PLC and the devices 
but the network has a security function built therein. The 
security function is the one for confirming safety and pro- 
ducing an output. In the case where the network system 
enters a hazardous state as an emergency stop switch 
is depressed or a sensor such as a light curtain detects 
intrusion of a person (a part of a human body), the fail- 
safe system is so activated that the safety system turns 
to the safety side and halts the operation, in other words, 
the aforementioned safety functions cause the system 
to produce an output and operate a machine only when 
safety is stored. Unless safety cannot be confirmed, 
therefore, the machine stops. 

[0005] In a network system having the safety func- 
tions (safety network system) described above, the 
maximum response time from the occurrence of a fault, 
a hazardous situation or other unsafe state to the exe- 
cution of the safety operation (device halt, etc.) is re- 
quired to be kept constant. Specifically, in the case 
where information are transmitted by the master-slave 
method, as well known, the slave units return a safety 
response to a master unit sequentially in response to 
the request of the master unit, as shown in Fig. 1 (a). In 
the shown case, three slave units constitute a network 
system. The on/off information handled here are I/O in- 



formation for safety control in the form of normal (safe) 
or fault (hazardous). The maximum response time guar- 
antees the time consumed for each communication cy- 
cle. 

5 [0006] On the other hand, demand is high for collect- 
ing complementary information (unsafety information) 
other than the safety information described above, such 
as the slave unit status, the turn-on time and the number 
of times operated, for monitoring the slave units and the 

10 devices connected to the slave units. By acquiring these 
unsafety information, the life of the devices, for example, 
can be determined, and the devices can be replaced be- 
fore they actually develop a malfunction and the system 
halts. 

is [0007] The unsafety information may be sent, forex- 
ample, as shown in Fig. 1 (a) in which only the unsafety 
information are transmitted in the communication cycle 
1 while only the safety information is transmitted in the 
next communication cycle 2. According to this method, 

20 however, the safety information cannot be sent during 
the communication cycle 1 , and therefore the maximum 
response time is as long as twice the length of the com- 
munication cycle. 

[0008] As another method, as shown in Fig. 1(b), the 

25 safety response for transmitting the safety information 
in response to a request of a master unit can be returned 
with the unsafety information added thereto. Also in this 
case, as compared with the case of Fig. 1 (a) in which 
only the safety response is returned, each communica- 

30 tion cycle consumes a longer time. In any of these meth- 
ods, therefore, the demand for shortening the maximum 
response time cannot be satisfied. 
[0009] The object of this invention is to provide a safe- 
ty network system , a safety slave unit, a safety controller 

35 and a communication method, and an information col- 
lecting method and a monitoring method for the safety 
network system in which the response time of the orig- 
inal safety signal is not delayed even in the case where 
the information other than the safety signal are transmit- 

40 ted or received while the system is in operation. 

DISCLOSURE OF THE INVENTION 

[0010] In orderto achieve the object described above, 
45 a safety network system according to this invention is 
constructed by connecting a safety controller and a 
safety slave unit to each other through a safely network. 
The safety network system is such that in the case 
where an abnormal or hazardous or other unsafe situa- 
50 tion occurs in the network system, the fail-safe function 
is activated to avoid the abnormality or hazard. The 
safety controller, the safety slave unit and the safety net- 
work are devices used for the fail-safe processing. 
[0011] The safety slave unit includes a safety infor- 
55 mation transmission function for transmitting the safety 
information for determining whether a safe state prevails 
or not and an unsafety information transmission function 
for transmitting the unsafety information containing no 
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safety information. The unsafety information transmis- 
sion function is configured to transmit the unsafety in- 
formation on condition that the safety slave unit is in a 
safe state. 

[0012] Preferably, the safety slave unit has the func- 
tion of transmitting safety without sending the unsafety 
information in the case where it is determined that no 
safe state prevails at the timing of transmitting the un- 
safety information. 

[0013] The communication method according to this 
invention is used for the safety network system con- 
structed by connecting a safety controller and a safety 
slave unit to each other through a safety network. The 
safety slave unit executes the process of transmitting 
the safety information tor determining whether a safe 
state prevails or not or the unsafety information contain- 
ing no safety information, toward the safety controller 
through the safety network at a predetermined timing. 
In the process, the process of transmitting the unsafety 
information is executed on condition that the safety 
slave unit is in a safe state. 

[0014] The safety slave unit according to this inven- 
tion has the safety information transmission function for 
transmitting the safety information for determining 
whether a safe state prevails and the unsafety informa- 
tion transmission function for transmitting the unsafety 
information containing no safety information. The un- 
safety information transmission function is so config- 
ured as to transmit the unsafety information on condition 
that a safe state prevails. Each transmission function of 
the safety slave unit is implemented by a MPU 23 ac- 
cording to an embodiment. 

[0015] Further, the safety controller according to this 
invention has the fail-safe processing function for ana- 
lyzing the contents of the safety information received 
from the safety slave unit, and upon determination that 
no safe state prevails, executing a predetermined proc- 
ess, and the function for estimating that the safety slave 
unit of the transmitting end is in a safe state in the case 
where the unsafety information is received. 
[001 6] According to this invention, the fact that the un- 
safety information is transmitted indicates thatthe safety 
of the safety slave unit is guaranteed. In the case where 
the safety slave unit is in a safe state, therefore, the 
safety controller, upon receipt of the safety information, 
can indirectly ascertain that the safety slave unit is in a 
safe state, and upon receipt of the unsafety information, 
can indirectly ascertain that the safety slave unit is in a 
safe state. Also, suppose the safe state ceases at the 
timing of transmitting the unsafety state, the safety in- 
formation indicating that no safe state prevails (hazard- 
ous or abnormal) is transmitted. In the case where the 
safe state ceases, therefore, the response time before 
activation of the fail-safe function need not be extended. 
[0017] In this way, the time of updating the unsafety 
information required by the user can be set. Even in the 
case where the unsafety information is transmitted, the 
safe state is be guaranteed, and therefore the response 



time is not as long as in the case where the safety infor- 
mation is transmitted each time. 
[0018] In other words, the unsafety information can be 
notified from the slave unit (safety slave unit) to the mas- 

s ter unit (safety controller) without affecting the traffic of 
the safety network. As a result, the update time of the 
unsafety information can be set by the user, thereby 
making possible the management suitable for the user 
applications. Also, since the unsafety information can 

10 be collected without halting the system, the devices can 
be monitored on line. 

[0019] The transmission timing of the unsafety infor- 
mation may be controlled either on the part of the safety 
controller or on the part of the safety slave unit. Specif- 

15 ically, the former can be implemented by the safety con- 
troller including unsafety information request control 
means for controlling the timing of issuing an unsafety 
information transmission request The safety slave unit 
to meet this situation can be so configured as to deter- 

20 mine whether the request received from the safety con- 
troller concerns the safety information or the unsafety 
information, and in the case of the safety information re- 
quest, transmits the safety information. In the case of 
the request for the unsafety information, on the other 

25 hand, the safety slave unit transmits the unsafety infor- 
mation in the case where the particular slave unit is in 
a safe state and transmits the safety information in the 
case where the slave unit is not in a safe state. In the 
latter case, the safety slave unit includes unsafety infor- 

30 mation transmission control means for controlling the 
timing of transmitting the unsafety information, and has 
such a configuration that the unsafety information is 
transmitted on condition that no safe state prevails at 
the time of transmission. Also, the specific value of the 

35 transmission timing may be set either by the maker at 
the time of manufacture or by the user. 
[0020] The safety information contains the informa- 
tion as to whether at least the slave unit and/or the safety 
devices connected thereto are in a safe state or not. 

40 Nevertheless, other information may of course be also 
contained. The unsafety information, in contrast, are 
various information containing no safety information. 
The relay life, the investigation result, the turn-on time, 
the number of times operated and the model are some 

45 examples. The "turn-on time" and the "number of times 
operated", for example, are determined by measuring 
or counting with the timer or counter, and the numerical 
values as of the time of measurement is sent as unsafety 
information. The "relay life" is a life prediction. Specif i- 

50 cally, the relay life representing the unsafety information 
as it is called here is not the information indicating that 
the life has expired and no safety operation is possible 
(in which case the information is handled as safety in- 
formation) but predictive information that although the 

55 relay is operating safely, the time requiring maintenance 
(change, readjustment, etc.) is approaching. The "in- 
vestigation result" is the information predicted or detect- 
ed statistically. In other words, it is not the result of the 
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self-diagnosis conducted as to safety on the part of the 
slave unit. The self-diagnosis result is sent as safety in- 
formation. Examples of the inspection result as unsafety 
information includes the following: (1 ) life has almost ex- 
pired, (2) the relay is used in an unfavorable environ- 
ment, (3) temperature, (4) vibrations, (5) supplied volt- 
age, and (6) used in overloaded state. By acquiring 
these information, early maintenance work (change, re- 
adjustment, etc.) is made possible, thereby preventing 
a case in which the relay becomes inoperative upon ex- 
piry of life or a fault has an excessively large effect. 
[0021] Further, the information collecting method for 
the safety network system according to this invention 
presupposes a safety network system constructed by 
connecting the safety controller and the safety slave unit 
through the safety network. The safety slave unit has 
the safety information transmission function for trans- 
mitting the safety information for determining whether a 
safe state prevails or not and the unsafety information 
transmission function for transmitting the unsafety infor- 
mation containing no safety information. The unsafety 
information transmission function is for transmitting the 
unsafety information on condition that the safety slave 
unit is in a safe state. When the safety slave unit trans- 
mits information toward the safety controller, the unsafe- 
ty information transmission function determines which 
of the safety information and the unsafety information is 
to be transmitted, and transmits the information thus de- 
termined through the safety network. The safety control- 
ler receives the safety information or the unsafety infor- 
mation sent through the safety network, and in the case 
where the received information is the unsafety informa- 
tion, stores the information based on the particular un- 
safety information. 

[0022] By doing so, the safety controller can acquire 
the unsafety information from the safety slave unit con- 
nected to the safety network. In addition, in the case 
where no safe state prevails at the timing of transmitting 
the unsafety information, the safety information is sent, 
and therefore the unsafety information can be collected 
without deteriorating the reliability of the safety system. 
Also, in the case where the unsafety information is col- 
lected, safety can be indirectly recognized. 
[0023] The monitor method according to this invention 
is for a system constructed by connecting a monitor de- 
vice furtherto the safety network system constructed by 
connecting the safety controller and the safety slave un it 
to each other through the safety network. The safety 
slave has the safety information transmission function 
for transmitting the safety information for determining 
whether a safe state prevails or not and the unsafety 
information transmission function for transmitting the 
unsafety information containing no safety information. 
The unsafety information transmission function is for 
transmitting the unsafety information on condition that 
the safety slave unit is in a safe state. The monitor de- 
vice acquires the unsafety information transmitted to- 
ward the safety controller from the safety slave unit, an- 



alyzes the unsafety information thus acquired, and 
stores the information based on the particular unsafety 
information. 

[0024] The monitor device is connected to the safety 
5 controller and can acquire the unsafety information in- 
directly through the safety controller. Also, the unsafety 
information can be directly collected by connecting the 
monitor device to the safety network, monitoring the 
frames transmitted on the safety network and receiving 
10 the unsafety information addressed to the safety con- 
troller. 

[0025] The monitor device can acquire the unsafety 
information from the safety slave unit connected to the 
safety network. In addition, in the case where no safe 

15 state prevails at the timing of transmitting the unsafety 
information, the safety information is sent. Therefore, 
the unsafety information can be collected and the mon- 
itoring operation can be performed without deteriorating 
the reliability of the safety system. By the way, the data 

20 can be stored in any of various forms including the log- 
ging data. In addition, in the case where the unsafety 
information is acquired, it can be indirectly recognized 
that the safety system is in a safe state. This monitor 
device corresponds to the tool of the personal computer 

25 5. Also, the devices called the monitoring device and the 
configurator correspond to the monitor device. 

BRIEF DESCRIPTION OF THE DRAWINGS 



30 [0026] 



35 



40 



45 



50 



55 



Fig. 1 is a diagram showing the prior art. 
Fig. 2 is a diagram showing a safety network system 
according to a preferred embodiment of the inven- 
tion. 

Fig. 3 is a diagram showing the essential parts of a 
safety controller (PLC) according to a preferred em- 
bodiment of the invention. 

Fig. 4 is a diagram showing a safety slave unit ac- 
cording to a preferred embodiment of the invention. 
Fig. 5 is a diagram for explaining the operation of 
this embodiment. 

Fig. 6 is a diagram showing an example of the data 

structure of the transmission frame. 

Fig. 7 shows a part of the flowchart for explaining 

the functions of the MPU of the safety PLC (master 

unit). 

Fig. 8 shows a part of the flowchart for explaining 
the functions of the MPU of the safety PLC (master 
unit). 

Fig. 9 shows a part of the flowchart for explaining 
the functions of the MPU of the safety PLC (master 
unit). 

Fig. 1 0 is a flowchart for explaining the functions of 
the MPU of the safety slave unit. 
Fig. 11 is a diagram for explaining the operation of 
this embodiment. 

Fig. 12 is a diagram for explaining the operation of 



4 



3NSDOC1D: <EP 1 396963 A 1J_> 



7 



EP 1 396 963 A1 



8 



another embodiment. 

Fig. 13 is a diagram for explaining the operation of 
a modification. 

Fig. 14 is a flowchart for explaining the functions of 
the MPU of the safety slave according to a modifi- 5 
cation. 

Fig. 15 is a diagram showing an example of the data 
structure of the transmission frame according to a 
modification. 

Fig. 16 shows a part of the flowchart for explaining 10 
the functions of the information receiving end ac- 
cording to a modification. 

BEST MODE FOR CARRYING OUT THE INVENTION 

15 

[0027] This invention is explained in detail with refer- 
ence to the accompanying drawings. Specifically, Fig. 2 
shows an example of a safety network system according 
to this invention. As shown in Fig. 2, a safety PLC 1 and 
a plurality of safety slave units 2 are connected to each 2° 
other through a safety network 3. Each safety slave unit 
2 is connected with an emergency stop switch and other 
various safety devices 4 such as various input devices 
and output devices. The safety PLC 1 is configured of 
a plurality of units including a CPU unit 1a, a master unit 
(communication unit) 1b and an I/O unit 1c connected 
to each other. 

[0028] Further, a personal computer 5 is connectable 
as a tool to the CPU unit 1a and the master unit 1b of 
the safety PLC 1 and the safety network 3. This personal 
computer 5, through the safety PLC 1 , collects and man- 
ages the information on the safety slave units 2 and the 
safety devices 4 connected thereto. 
[0029] All of the various devices making up this safety 
network system have a built-in safety (fail-safe) func- 
tion. The safety function is for confirming the safety and 
produces an (control) output. Once a hazardous situa- 
tion arrives, the fail-safe function is activated and the 
system turns to safety side to halt the operation. Specif- 
ically, the safety system is such that when the emergen- 
cy stop switch is depressed, a sensor such as a light 
curtain detects the intrusion of a person (a part of human 
body) or otherwise a hazardous situation of the network 
system arrives, the fail-safe function works and the sys- 
tem turns to safety side to halt the operation, tn other 
words, this system allows an output to be produced and 
a machine to operate only in the case where safety is 
stored by the safety functions. Unless safety cannot be 
confirmed, therefore, the machine stops. 
[0030] Next, of these safety functions, the transmis- 
sion and receiving of information constituting the essen- 
tial feature of the invention is explained. The master unit 
1b has a built-in communication function and is adapted 
to transmit and receive information to and from the safe- 
ty slave units 2 by the master-slave method. The basic 
operation is simitar to that of the prior art, and as shown 
in Fig. 1 (a), in compliance with the request from the safe- 
ty PLC 1 (master unit 1b), a given safety slave unit 2 



that has received the particular request returns the safe- 
ty information as a safety response. The request is is- 
sued to the slave units 2 in the order of (1) -» (2) -> (3), 
and the safety information are collected from all the 
three safety slave units 2 in one communication cycle. 
This communication cycle is repeatedly executed. 
[0031] The master unit 1b for controlling the commu- 
nication has an internal structure as shown in Fig. 3. 
Specifically, the master unit 1 b has a MPU 1 0 for reading 
the program stored in a system ROM 11 and executing 
a predetermined process appropriately using the mem- 
ory area of a system RAM 12. Further, the master unit 
1b has a communication interface 13 connected to the 
safety network 3 to transmit and receive the data to and 
from a predetermined safety slave unit 2. Furthermore, 
the master unit 1b has an unsafety information storage 
unit 1 4 for storing the unsafety information sent from the 
safety slave units 2. Specifically, also according to this 
embodiment, as in the prior art, the unsafety information 
is sent from each safety slave unit 2, and stored by re- 
lating it to the addresses of the safety slave units. The 
unsafety information of the safety slave units stored in 
the unsafety information storage unit 14 are extracted 
periodically or in compliance with a read instruction of 
the personal computer (tool) 5. 

[0032] Naturally, this master unit 1 b also corresponds 
to the safety network system and has various built-in 
safety functions. Specifically, though not shown, two 
MPUs 1 0 are provided and caused to execute the same 
program at the same time, and only in the case where 
the two results are coincident, the output is determined 
as correct and processed. Other safety functions are of 
course provided in correspondence with the safety net- 
work system. 

[0033] As an example of the program executed by the 
MPU 10 of the master unit 1b, the MPU 10 issues a re- 
quest to a predetermined slave unit 2, and receiving a 
response to the request, executes a predetermined 
process in accordance with the contents of the response 
received. The MPU 1 0 of course also executes the proc- 
ess of transmitting the information to a predetermined 
slave unit 2 in compliance with an instruction from the 
CPU unit 1a. 

[0034] The internal structure of the safety slave unit 2 
is shown in Fig. 4. As shown in this drawing, the safety 
slave unit 2 includes a communication interface 21 con- 
nected to the safety network 3 for transmitting and re- 
ceiving the data to and from the safety PLC 1 (master 
unit 1 b), an input/output interface 22 for transmitting and 
receiving the data to and from the safety devices 4 con- 
nected to the safety slave units 2 : and a MPU 23 for 
reading the program stored in the system ROM 24 and 
executing a predetermined process by appropriately us- 
ing the memory area of the system RAM 25. The MPU 
23, in compliance with the request to oneself received 
through the communication interface 21 , executes the 
process of returning the information (the safety informa- 
tion, etc.) acquired from the safety devices 4 through the 
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input/output interface 22, to the master unit 1b through 
the communication interface 21 and the safety network 
3. 

[0035] Further, the MPU 23 has the function of self- 
diagnosis and monitoring the operating conditions (the 
turn-on time, the number of times turned on/off, etc.) of 
the safety devices 4, and executes the process of stor- 
ing in the unsafety information storage memory 26 the 
unsafety information such as the diagnosis result and 
the operating conditions acquired by activating the var- 
ious functions. The unsafety information stored in the 
unsafety information storage memory 26 are also re- 
turned in compliance with the request of the master unit 
1b and transmitted to the master unit 1b. 
[0036] Specifically, the request from the master unit 
1b is of two types including the safety information re- 
quest and the unsafety information request, and the 
safety slave units 2 return the required type of informa- 
tion as a response. Actually, a request is issued with a 
sequence No. which is incremented by one each time 
of transmission, and according to the value of this se- 
quence No., each safety slave unit determines whether 
a given request concerns the safety information or the 
unsafety information. 

[0037] According to this embodiment, the master unit 
1b has an unsafety information request control unit 15 
for arbitrarily setting the timing of collecting the unsafety 
information from each safety slave unit 2 to execute the 
required process. Specifically, the unsafety information 
request control unit 1 5, which includes a timer or a coun- 
ter, sends a trigger signal to the MPU 10 upon each 
lapse of a predetermined length of time or for each pre- 
determined number of communication cycles. The MPU 
10 normally issues a request for acquiring the safety in- 
formation, and upon receipt of a trigger signal, issues a 
request to acquire the unsafety information in the next 
one cycle. By doing so, the unsafety information can be 
collected in cycles set by the user. This is of course pos- 
sible even while the system is in operation. The process- 
ing function of the MPU 10 with regard to the output of 
this request is described in detail later. 
[0038] The safety slave unit 2, on the other hand, re- 
turns the safety information or the unsafety information 
in compliance with the request from the master unit 1b, 
as described above. In the process, the safety slave unit 
2 further executes the process described below. Specif- 
ically, in the case where the safety information is re- 
quested, the safety information currently available is re- 
turned as it is. In the case where the unsafety informa- 
tion is requested, on the other hand, it is first determined 
whether the particular safety slave unit 2 is in a safe 
state or not, and in the case where it is in a safe state, 
the unsafety information is returned, while in the case 
where the safety slave unit 2 is not in a safe state (haz- 
ardous, or abnormal), the safety information is transmit- 
ted. The safety information as used in this case is indic- 
ative of a "fault notice". 

[0039] By doing so, in the case where the unsafety 



information arrives, the safe state of the safety slave unit 

2 that has sent the particular unsafety information is 
guaranteed. Therefore, the master unit 1 b, upon receipt 
of a response of unsafety information from the safety 

5 slave unit 2 in compliance with the unsafety information 
request, determines that a safe state prevails, and thus 
can collect the unsafety information as originally intend- 
ed without the need of the fail-safe process such as 
emergency stop. In the case where the safety slave unit 

10 2 is not in a safe state, on the other hand, the safety 
information (fault notice) is sent even in the case where 
the request of the unsafety information is issued, and 
therefore a predetermined security process is executed. 
In this way, the time requiring one communication cycle 

15 is guaranteed as a response time in case of a fault. 
[0040] As an example, assume that, as shown in Fig. 
5, a normal safety information request is given in the (N- 
1)th communication cycle while an unsafety information 
request is issued in the Nth communication cycle. In the 

20 case where each safety slave unit 2 is in a safe state, 
as shown in Fig. 5(a), the type of information requested 
is returned from each safety slave unit. In the case 
where a fault occurs after the safety slave unit (2) returns 
the safety response in the (N-1 )th communication cycle, 

25 on the other hand, the safety slave unit (2) sends a safe- 
ty response in the next Nth communication cycle. There- 
fore, the time t from the fault occurrence to the output 
of the safety response is shorterthan the time TO of one 
communication cycle. 

30 [0041] To realize the above-mentioned process, it is 
necessary to discriminate whether the information re- 
ceived on the part of the master unit 1b is the safety 
information or the unsafety information. According to 
this embodiment, as shown in Fig. 6, an identification bit 

35 is added to discriminate the safety information and the 
unsafety information from each other as information 
stored in the transmission frame. As a result, the master 
unit 1b can determine whether the received transmis- 
sion frame is the safety information or the unsafety in- 

40 formation by checking the value of the identification bit. 
[0042] Next, an explanation is given about the 
processing steps executed in the MPU 10 of the safety 
PLC 1 (master unit 1b) and the MPU 23 of the safety 
slave units 2 for conducting a series of the data commu- 

45 nication described above. The MPU 10 of the master 
unit 1b has the function of executing the steps of the 
flowcharts shown in Figs. 7 to 9. Assume that there are 
three safety slave units (1 ) to (3) as shown in Fig. 1 , and 
the unsafety information is updated at intervals in terms 

50 of communication cycles and acquired at the rate of one 
of three communication cycles. 

[0043] Once power is switched on, the arrival of the 
setting input for the unsafety information update period 
from the user is awaited (ST1, ST2). Upon setting of the 
55 unsafety information update period (each three commu- 
nication cycles in this embodiment), the sequence No. 

3 is set to unsafety (ST3), and the sequence No. 3 of 
the slave units ((1 ) to (3)) is set to request the unsafety 
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information (ST4, ST5). According to this embodiment, 
the update period is set by the unsafety information re- 
quest control unit 15. 

[0044] In the case where the update timing is once 
every N times, the conversion to unsafety in step 3 is of 
course is to set the sequence No. "N" to unsafety. Also, 
according to this embodiment, the unsafety information 
is collected in the same communication cycle (the third 
communication cycle in this embodiment) for all the 
safety slave units. Alternatively, however, the cycle can 
be set for each safety slave unit, so that the unsafety 
information may be collected in different communication 
cycles. Further, the update period can be varied from 
one slave unit to another. 

[0045] Upon completion of each process described 
above, the safety network system is actually activated 
to perform a predetermined control operation. Specifi- 
cally, the value n of the sequence No. is first set to 1 
(ST6) and a request is transmitted to the safety slave 
unit (1) (ST7). This request is accompanied by the se- 
quence No. Thus : the first request after power is thrown 
in is the sequence No. "1". 

[0046] The response from the safety slave unit (1 ) is 
awaited, and upon receipt of the transmission frame 
from the safety slave unit (1), the identification bit is an- 
alyzed to determine whether the value is "0" or not 
(ST8). In the case where the identification bit is not "0", 
i.e. it is "1 ", the safety information has been transmitted! 
This data section is analyzed and the safety information 
of the safety slave unit (1) is received (ST9). It is then 
determined whether the safety state is "safe" or not 
(ST10), and in the case of "safe", a request with the se- 
quence No. is transmitted to the safety slave unit (2). 
[0047] In the case where the branching decision in 
step 8 is "Yes", that is to say, the identification bit is 0, 
the information that has been sent is the unsafety infor- 
mation. Therefore, the process jumps to step 11 and the 
unsafety information for the safety slave unit (1) is re- 
ceived (step ST11 ). Also, the current safety state of the 
safety slave unit (1) is estimated as safe (ST12). After 
that, the process proceeds to step 13 for outputting a 
request to the slave unit (2). 

[0048] A similar process is executed for the safety 
slave unit (2) (ST13 to ST18), and then for the safety 
slave unit (3) (ST19 to ST24). As a result, the safety 
information or the unsafety information can be collected 
in one communication cycle. 

[0049] Once the information are acquired from the 
three safety slave units (1 ) to (3), it is determined wheth- 
er n is 3 or more (ST25), and in the case where n is less 
than 3, n is incremented by 1 (ST26), while in the case 
where n is not less than 3, n is set to 1 (ST27). After 
that, the process returns to step 7, and the next com- 
munication cycle is executed. After that, the process of 
steps 7 to 28 is repeatedly executed. 
[0050] In the case where the determination astosafe- 



where the safety output is shut off to halt the operation 
(ST28, ST29). By the way, the specific process in steps 
28, 29 is similar to the process for the fault notice (haz- 
ardous) in the conventional safety network system, and 

5 therefore is not described in detail. 

[0051] On the other hand, the operation of the MPU 
23 of each safety slave unit is shown in Fig. 10. Specif- 
ically, after power is thrown in, the sequence No. for 
transmitting the unsafety information sentfrom the mas- 

10 ter unit 1 b is acquired and set. In this case, the sequence 
No. "3" is set as the timing of transmitting the unsafety 
information (ST30, ST31). 

[0052] Next, a request from the master unit 1b is 
awaited (ST32), and upon receipt of the request, it is 
15 determined whether a safe state now prevails or not 
(ST33). In the case where no safe state prevails, "haz- 
ardous" is transmitted as the safety information (ST34). 
In the case where a safe state prevails, on the other 
hand, the sequence No. added to the request is 
20 checked, and in the case where the sequence No. is "3", 
the unsafety information is transmitted, while in the case 
of other than 3, the safety information (safe) is transmit- 
ted (ST35, ST36, ST37). After that, the process of steps 
32 to 37 is repeatedly executed. 
25 [0053] The process described above, as viewed from 
the operation of one safety slave unit, is shown in Fig. 
11. Specifically, the requests sent from the master unit 
1b have added thereto the sequence Nos. 1 to 3 se- 
quentially repeated in such an order as "1 -» 2 -> 3 -> 
30 1...". Upon receipt of the request of the sequence No. 
"3", the unsafety information is returned. As a result, as 
shown in Fig. 1 1 (a), assuming that a safety slave unit is 
in a safe state, the master unit receives the unsafety 
information of the particular safety slave unit at the rate 
35 of once every three times, and therefore can confirm the 
safety by receiving the particular unsafety information. 
[0054] Also, as shown in Fig. 11 (b), in the case where 
the safety is ended when the sequence No. is "3", the 
safety response is given without sending the unsafety 
40 information. Thus, the master unit cannot receive the 
unsafety information but is informed of a hazardous sit- 
uation from the safety response, and therefore executes 
a predetermined safety process such as a halt process. 
By the way, though not shown, in the case where the 
45 safety ends with the request of the sequence No. 1 or 
2, the safety response (fault notice) Is sent as usual, so 
that a predetermined safety process is executed based 
on the particular safety response. 
[0055] In the embodiment described above, the un- 
50 safety information is acquired at the rate of once every 
N times. However, this invention is not limited to such a 
rate but the unsafety information can be acquired at reg- 
ular time intervals. In this case, the sequence No, for 
transmitting the unsafety information is not determined 
55 as described above, but a flag is attached or otherwise 
to discriminate the normal safety information request 



ty in steps 10, 16 and 22 is "No", i.e. the received safety 
information is "not safe", the process jumps to step 28, 



and the unsafety information request from each other 
on the part of the safety slave unit. The unsafety infor- 
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mation req uest control unit 1 5 has a timer, and each time 
a set time passes, sends a trigger signal to the MPU 10. 
The MPU 1 0, which normally issues a safety information 
request, issues an unsafety information request upon 
receipt of the trigger signal. 

[0056] Also, in the case where the unsafety informa- 
tion is collected by the number of the communication 
cycles, assume that the master unit issues both the 
safety information request and the unsafety information 
request as in the aforementioned case. The unsafety in- 
formation request control unit 15 may have a counter, 
and counts the number of times the request is issued. 
Once a predetermined number of times is reached, a 
trigger signal is output, and the MPU 10 that has re- 
ceived the trigger signal may output an unsafety infor- 
mation request. 

[0057] In the example described above, the timing of 
acquiring the unsafety information is controlled by the 
master unit. This invention is not limited to such a con- 
figuration, but the acquisition timing may alternatively 
be controlled on the part of the safety slave unit. In such 
a case, as shown in Fig. 4, the safety slave unit 2 is 
equipped with an unsafety information transmission 
control unit 28. This unsafety information transmission 
' control unit 28 includes a timer or a counter and applies 
a trigger signal for unsafety information transmission to 
the MPU 23 at a preset timing (after predetermined time 
or predetermined communication sessions) of updating 
the unsafety information. 

[0058] The MPU 23, at the request of the master unit 
1b, normally gives a safety response and returns the 
safety information (safe/hazardous). Upon receipt of a 
trigger signal, on the other hand, the MPU 23 checks 
the present safety state in response to a request, and 
in the case where a safe state prevails, sends the un- 
safety information. In the case where no safe state pre- 
vails (abnormal or hazardous), however, the safety re- 
sponse is returned even when a trigger signal is re- 
ceived. By the way, in order that the master unit may be 
informed which of the safety information and the unsafe- 
ty information is transmitted, the MPU 23 attaches a rec- 
ognition bit in the transmission frame as shown in Fig. 
6 also in the case under consideration, and sets it to "0" 
or'T 1 . 

[0059] The master unit 1b, on the other hand, trans- 
mits a request to the safety slave units sequentially in 
predetermined communication cycles and waits for a re- 
sponse from a corresponding safety slave unit. Upon re- 
ceipt of the transmission frame from a safety slave unit, 
the master unit 1 b confirms the recognition bit and dis- 
criminates the safety information and the unsafety infor- 
mation from each other. In the case where the unsafety 
information is involved, the acquired unsafety informa- 
tion is stored in the unsafety information storage unit 14, 
while at the same time recognizing the safety. In the 
case where the received information is the safety infor- 
mation, on the other hand, the contents thereof are ac- 
quired, and in the case where no safe state prevails, a 



predetermined security process is executed. 
[0060] A timing chartfordata transmission and receipt 
between the master unit and the slave units for the 
above-mentioned operation is shown in Fig. 12. In the 
5 shown case, every safety slave unit is in a safe state, 
and therefore the respective unsafety information is 
transmitted at the timing of transmitting the unsafety in- 
formation. The master unitthat has received this unsafe- 
ty information acquires the unsafety information on the 

10 one hand and can confirm the safety at the same time. 
In the case where no safe state prevails at the timing of 
transmitting this unsafety information, the safety re- 
sponse is returned. Also, in view of the fact that the 
transmission timing is managed by each safety slave 

*5 unit, as shown, the unsafety information is not neces- 
sarily sent from alt the safety slave units in the same 
communication cycle, as shown. 
[0061] Furthermore, the embodiment described 
above concerns the master-slave method in which a de- 

20 sired slave unit returns a response to a request from a 
master unit. Specifically, the right to determine which of 
the safety information and the unsafety information is to 
be transmitted may be granted to either the master unit 
or the safety slave unit, as described already. In any 

25 way, the timing of transmission from each slave unit is 
derived from an external trigger such as a request of the 
master unit. The slave unit as it is called in this invention, 
however, is not limited to the one included in the master- 
slave communication. Specifically, in spite of the naming 

30 "slave", an arbitrary communication method can be 
used. In this respect, strictly speaking, the slave unit ac- 
cording to the invention is considered to be different in 
concept with the generally defined slave. In other words, 
the slave unit as it is called in this invention can operate 

35 on an arbitrary communication protocol for actual trans- 
mission and receiving process as long as it has the func- 
tion of transmitting while switching the safety informa- 
tion and the unsafety information at appropriate timing. 
Especially, the destination of the unsafety information to 

40 be transmitted according to the invention is not confined 
to the master unit or the controller, but may be other de- 
vices than the local node, i.e. other nodes such as the 
configurator (configuration tool), the monitoring devices 
or other slave units connected to a network. 

45 [0062] The communication method can also be ap- 
propriately selected in accordance with the other party 
of transmission. The trigger for transmission is of course 
not limited to an external request such as from the mas- 
ter unit, for example, but the transmission may be based 

so on an internal trigger (internal timer, an event generated 
when meeting predetermined conditions, etc.). 
[0063] The "internal trigger" is based on the result of 
executing a predetermined process by a slave unit itself 
and generated in the particular slave unit. One example 

55 of an internal trigger is the fact that the unsafety infor- 
mation (the status information of the input/output unit, 
etc.) acquired by the slave unit develops into a preset 
status. Specifically, an internal trigger may be generated 
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in the case where the turn-on time of the input/output 
devices exceeds 5000 hours or the number of times op- 
erated exceeds ten thousands. An internal trigger signal 
may also be generated periodically upon each lapse of 
a predetermined time or at a predetermined time point 
as counted by an internal clock. 
[0064] In the case where an internal trigger is gener- 
ated when a preset status is attained, the frequent trans- 
mission of the unsafety information can be suppressed 
and the safety information can be transmitted in normal 
communication by appropriately setting the particular 
status. Thus, the required unsafety information can be 
transmitted efficiently by transmitting the unsafety infor- 
mation with the internal trigger generated at regular time 
intervals or when the life of the input/output devices is 
about to expire, in accordance with the operating con- 
ditions of the input/output devices. Specifically, the 
number of times operated and the turn-on time are not 
very important information and allowed to change by 
several times or several minutes from the preceding da- 
ta. By suppressing the transmission of these information 
not so important, the safety information and the unsafety 
information can be transmitted efficiently. 
[0065] An example of a time chart for transmitting the 
information from the safety slave unit based on this in- 
ternal trigger is shown in Fig. 13. Specifically, each 
transmission device (safety slave unit) has an internal 
timer and generates an internal trigger at intervals of the 
transmission timer. In response to this internal timer, 
each safety slave unit outputs the safety information or 
the unsafety information to a predetermined destination. 
By setting this destination in advance, the information 
can be transmitted toward a master unit, other slave 
units or other nodes connected to the network. 
[0066] Each safety slave unit transmits the informa- 
tion based on its own internal timer. In the case where 
any other slave unit is already transmitting the informa- 
tion, however, the slave unit trying to transmit the infor- 
mation stops the transmission. In the case where an at- 
tempt to transmit the information at the same time leads 
to a conflict on the network, the safety slave unit of high- 
er priority order (smaller node number) continues the 
communication. As a result, the information can be 
transmitted from the safety slave units sequentially in a 
predetermined order in one communication cycle. By 
setting the transmission timer appropriately, the infor- 
mation can be subsequently repeatedly transmitted 
smoothly in the same order. 

[0067] An example of the function of the MPU of the 
safety slave unit which executes the above-mentioned 
transmission process is shown in the flowchart of Fig. 
14. This function basically corresponds to the process- 
ing flow shown in Fig. 10. Specifically, power is switched 
on first of all, and the unsafety information transmission 
sequence No. is set (ST41). In this example, the trans- 
mission sequence No. is set to "3" for all the safety slave 



another. 

[0068] Upon complete setting, the generation of the 
transmission conditions, i.e. the internal trigger is await- 
ed (ST42). Once the internal trigger is generated : it is 
5 determined whether a safe state prevails now or not 
(ST43), and in the case where no safe state prevails,, 
the safety information (hazardous) is transmitted 
(ST44). In the case where a safe state prevails, on the 
other hand, the sequence No. is checked (ST45), and if 
10 it is less than 3, the safety information (safe) is transmit- 
ted, while at the same time incrementing N representing 
the sequence No. by 1 (ST46, ST47). Then, the process 
returns to step 42 to wait for the arrival of the next trans- 
mission conditions. In the case where the sequence No. 
15 is 3 or more, on the other hand, it indicates the unsafety 
information transmission timing, and therefore the un- 
safety information is transmitted (ST48). After that, N is 
set to 1 (ST49), followed by returning to step 42 to wait 
for the arrival of the next transmission conditions. 
20 [0069] The threshold value for determination in step 
45 is set to "3" because the sequence No. for transmit- 
ting the unsafety information is set to "3" in step 41 . In 
the case where the setting is not 3 in step 41 , the crite- 
rion in step 45 is also changed accordingly. 
25 [0070] Also, which of the safety information and the 
unsafety information is currently transmitted is deter- 
mined by the identification bit (Fig. 15) set in the trans- 
mission frame. The safety slave unit, therefore, sets the 
identification bit in accordance with one of the safety in- 
30 formation and the unsafety information for transmission. 
[0071] The device receiving the information from the 
safety slave unit has the function of executing the proc- 
ess of the flowchart shown in Fig. 16. Specifically, after 
power is switched on first, the arrival of a frame sent 
35 from the safety slave unit is awaited (ST51). Upon re- 
ceipt of the frame, it is determined whether the frame is 
normally received or not, and in the case of abnormal 
receipt ("No" in step 52), the process such as stopping 
the output is executed by the safety output means 
40 (ST57). In the case of normal receipt, on the other hand, 
the identification bit is checked. In the case where the 
identification bit is zero, it indicates that the received da- 
ta is the unsafety information, and therefore the process 
of receiving the unsafety information is executed 
45 (ST54). Specifically, the acquired unsafety information 
is stored In a predetermined area, the contents of the 
information are analyzed, or the processing is executed 
in accordance with the result of analysis. After that, the 
process returns to step 51 to wait for the arrival of the 
50 next frame. 

[0072] In the case where the identification bit is 1 , on 
the other hand, the safety information is involved, and 
therefore the safety information receiving process is ex- 
ecuted (ST55) and it is determined whetherthe contents 
55 of the notice are safe or not (ST56). In the case where 
the contents of the notice is safe, the process returns to 



units. This numerical value, however, is arbitrary and 
can of course be varied from one safety slave unit to 



step 51 to wait for the arrival of the next frame. In the 
case where the contents of the notice is hazardous and 
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not safe, on the other hand, the process of halting the 
output or other process for safe output is executed 
(ST57), By the way, the processing after receiving the 
safety information or the unsafety information is similar 
to the corresponding processing in the embodiments s 
described above, and therefore is not explained in de- 
tail. 

[0073] With regard to the identification bit, the forego- 
ing description deals with a case in which the safety in- 
formation and the unsafety information are indicated by 10 
one bit of "1 " and "0", respectively. This invention, how- 
ever, is not limited to this, but another information may 
be added. Specifically, in the case of unsafety informa- 
tion, the specific information stored in the data unit in- 
clude various information such as the accumulated time is 
of conduction or operation, the number of times operat- 
ed, etc. of the input/output devices connected to the 
slave units, and in the case where only a numerical val- 
ue is transmitted, the information associated with the 
particular numerical value may not be recognized. In 20 
such a case, the identification code for specifying the 
type of the unsafety information may be added in ac- 
cordance with the contents of the data section. Further, 
a plurality of I/O terminals are provided. In an assumed 
case where eight I/O terminals are involved, for exam- 25 
pie, an 8-bit identification code is prepared so that a bit 
for identifying the safety information and the unsafety 
information is set for each I/O terminal. Also, in the case 
where all the eight I/O terminals transmit the unsafety 
information or the safety information, all the eight bits 30 
constitute the same identification bit. in such a case, the 
eight bits can be represented by one bit. As a result, the 
transmission data can be compressed and transmitted 
within a short length of time. In this case, however, a 
flag is required to discriminate an uncompressed iden- 35 
tification code from a compressed identification code. 

INDUSTRIAL APPLICABILITY 

[0074] As described above, according to this inven- *o 
tion, the unsafety information is transmitted on condition 
that a safe state prevails. Even in the case where the 
information other than the safety information (safety sig- 
nal) is transmitted or received through a network while 
the system is in operation, therefore, the original re- *s 
sponse time of the safety information is not delayed . 



formation transmission function for transmitting 
the unsafety information containing no safety 
information; and 

the unsafety information transmission function 
transmits the unsafety information on condition 
that the safety slave units are in a safe state. 

2. The safety network system according to claim 1 , 
characterized in that the safety slave units trans- 
mit a safety without sending the unsafety informa- 
tion in the case where it is determined that no safe 
state prevails at the timing of transmitting the un- 
safety information. 

3. The safety network system according to claim 1 , 
characterized in that the safety controller, upon re- 
ceipt of the unsafety information, estimates that the 
safety slave unit constituting the transmitter of the 
unsafety information is in a safe state: 

4. A safety slave unit for connecting to a safety net- 
work system constructed by connecting a safety 
controller and the safety slave unit through a safety 
network, characterized by comprising: 

the safety information transmission function for 
transmitting the safety information for deter- 
mining whether a safe state prevails or not and 
the unsafety information transmission function 
for transmitting the unsafety information con- 
taining no safety information; and 

characterized in that the unsafety informa- 
tion transmission function transmits the unsafety in- 
formation on condition that the safety slave unit is 
in a safe state. 

5. The safety slave unit according to claim 4, charac- 
terized in that 

it is determined whether the request received 
from the safety controller is a request for the safety 
information or the unsafety information, 

in the case where the received request is a 
request for the safety information, the safety infor- 
mation is transmitted, and 

in the case where the received request is a 
request for the unsafety information, the unsafety 
information is transmitted as long as the safety 
slave unit is in a safe state, and the safety informa- 
tion is transmitted as long as the safety slave unit 
is not in a safe state. 

6. The safety slave unit according to claim 4, compris- 
ing unsafety information transmission control 
means for controlling the timing of transmitting the 
unsafety information, 

characterized in that the unsafety informa- 
tion is sent on condition that a safe state prevails at 



Claims 



50 



A safety network system constructed by connecting 
a safety controller and safety slave units through a 
safety network, characterized in that: 

the safety slave units each have the safety in- 55 
formation transmission function for transmitting 
the safety information for determining whether 
a safe state prevails or not and the unsafety in- 
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the timing of transmission. 

7. A safety controller adapted to be connected to a 
safety network system constructed by connecting a 
safety controller and safety slave units through a 5 
safety network, characterized by comprising: 

a fail-safe processing function for analyzing the 
contents of the safety information received from 
the safety slave units and in the case where it to 
is determined that no safe state prevails, exe- 
cuting a predetermined process; and 
a function of estimating that the safety slave 
unit at the transmitting end is in a safe state in 
the case where the unsafety information is re- 15 
ceived. 

8. The safety controller according to claim 7, charac- 
terized by comprising unsafety information request 
control means for controlling the timing of issuing a 20 
request to transmit the unsafety information. 

9. A communication method for a safety network sys- 
tem constructed by connecting a safety controller 
and a safety slave unit to each otherthrough a safe- 25 
ty network, characterized in that: 

the safety slave unit executes the process of 
transmitting one of the safety information for 
determining whether a safe state prevails or not 30 
and the unsafety information containing no 
safety information toward the safety controller 
through the safety network at an appropriate 
timing; and 

the process of transmitting the unsafety infor- 35 
mation is executed on condition that the safety 
slave unit is in a safe state. 



safety network; and 

the safety controller receives the safety infor- 
mation or the unsafety information sent thereto 
through the safety network, and in the case 
where the received information is the unsafety 
information, stores the information based on 
the unsafety information. 

11 . A monitor method for a system constructed by con- 
necting a monitor device further to a safety network 
system constructed by connecting a safety control- 
ler and a safety slave unit through a safety network, 
characterized in that: 

the safety slave unit has the safety information 
transmission function for transmitting the safety 
function for determining whether a safe state 
prevails or not and the unsafety information 
transmission function for transmitting the un* 
safety information containing no safety infor- 
mation, the unsafety information transmission 
function transmitting the unsafety information 
on condition that the safety slave unit is in a 
safe state; 

the monitor device acquires the unsafety infor- 
mation transmitted from the safety slave unit to- 
ward the safety controller; and 
the acquired unsafety information is analyzed 
and the information based on the unsafety in- 
formation is stored. 



10. An information collecting method for a safety net- 
work system constructed by connecting a safety 40 
controller and a safety slave unit to each other 
through a safety network, characterized in that: 



the safety slave unit has the safety information 
transmission function for transmitting the safety *s 
information for determining whether a safe 
state prevails or not and the unsafety informa- 
tion transmission function for transmitting the 
unsafety information containing no safety infor- 
mation, the unsafety information transmission so 
function transmitting the unsafety information 
on condition that the safety slave unit is in a 
safe state; 

the safety slave unit., when transmitting infor- 
mation toward the safety controller, determines 55 
which of the safety information and the unsafety 
information is to be transmitted, and transmits 
the information thus determined through the 
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Fig. 1 
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Fig. 2 
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Fig, 4 
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Fig. 8 
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Fig. 11 
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Fig. 12 
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